Is the law evolving to hold individuals — specifically CISOs — responsible for companies’ cybersecurity failures?
In my opinion, the answer is yes, albeit slowly and incrementally, but it certainly appears to be moving in that direction. Here are some of my thoughts on the SEC’s recently issuing a Wells Notice to SolarWinds’ executives — including the CISO — in response to SolarWinds’ December 2020 cyber attack:
“The law evolves in incremental steps and, in my opinion, what this shows is a very early in developing—yet consistent—trend toward trying to name and hold individuals responsible for cybersecurity failures in companies, and it seems the CISO will be at the top of the list. While the facts of both the SolarWinds case and the recent prosecution and conviction of the Uber CSO make them exceptional and somewhat outlier cases for many reasons, we are seeing a pattern develop with federal enforcement that goes back to at least 2015 with the Department of Justice’s ‘Yates Memo’ which encouraged the naming of individuals by explaining that ‘One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.'”
— Read more about this here: SEC notices spark alarm for cyber executives (The Washington Post); and Wells Notice Against SolarWinds CISO Could Be First of Its Kind (SecureWorld)
For more of my thoughts on related issues take a look at the following:
- SecureWorld quotes Tuma in SEC to Put More Onus on Corporate Boards for Cybersecurity
- Drizly’s FTC Breach Settlement Shifts Calculus For Execs, Law 360 (subscription required)
- The Uber Data Breach Conviction Shows Security Execs What Not to Do, Wired (quoting Shawn Tuma)
- A Former Uber Exec’s Indictment Is a Warning Shot, WIRED (quoting Shawn Tuma)
